bpftrace

High-level tracing language for Linux eBPF.

TLDR

Display bpftrace version

$ bpftrace -V
copy

List all available probes

$ sudo bpftrace -l
copy

Run a one-liner program (e.g syscall count by program)

$ sudo bpftrace -e '[tracepoint:raw_syscalls:sys_enter { @[comm] = count(); ]}'
copy

Run a program from a file

$ sudo bpftrace [path/to/file]
copy

Trace a program by PID

$ sudo bpftrace -e '[tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); ]}'
copy

Do a dry run and display the output in eBPF format

$ sudo bpftrace -d -e '[one_line_program]'
copy

Copied to clipboard
gala